Ssid traffic control

Similar Messages

• ALV Grid Traffic control Example  program implemented with function modules

  Hi Friends,
  Can any one please give me ALV Grid control traffic lights  example program implented using function modules instead of OOP ALV. It is very urgent,
  Thanks in advance,
  Santosh Kumar.

  Hi Santosh ,
  Here is a sampla code for the same
  TYPE-POOLS : SLIS.
  DATA : BEGIN OF IT_1 OCCURS 0 ,
             MATNR TYPE matnr ,
             FLAG TYPE C ,  " added for the traffic control
         END OF IT_1.
  SELECT MATNR INTO TABLE IT_1 " Select Data
  UP TO 10 ROWS
  FROM MARA.
  DATA : CATALOG TYPE SLIS_T_FIELDCAT_ALV ,
         WA_CATALOG TYPE SLIS_FIELDCAT_ALV ,
         LAYOUT TYPE SLIS_LAYOUT_ALV .
  *" create catalog
  WA_CATALOG-FIELDNAME = 'FLAG'.
  WA_CATALOG-TABNAME = 'IT_1'.
  APPEND WA_CATALOG TO CATALOG.
  WA_CATALOG-FIELDNAME = 'MATNR'.
  WA_CATALOG-TABNAME = 'IT_1'.
  APPEND WA_CATALOG TO CATALOG.
  DATA : FLAG_T TYPE I.
  *"assign value to traffic signal
  LOOP AT IT_1.
  FLAG_T = SY-TABIX MOD 2.
  IF FLAG_T = 0.
  IT_1-FLAG = '1'.
  ELSE.
  IT_1-FLAG = '2'.
  ENDIF.
  MODIFY IT_1.
  ENDLOOP.
  *"specify the traffic signal field in the layout
  LAYOUT-LIGHTS_FIELDNAME = 'FLAG'.
  CALL FUNCTION 'REUSE_ALV_GRID_DISPLAY'
  EXPORTING
  *   I_INTERFACE_CHECK                 = ' '
  *   I_BYPASSING_BUFFER                =
  *   I_BUFFER_ACTIVE                   = ' '
  *   I_CALLBACK_PROGRAM                = ' '
  *   I_CALLBACK_PF_STATUS_SET          = ' '
  *   I_CALLBACK_USER_COMMAND           = ' '
  *   I_CALLBACK_TOP_OF_PAGE            = ' '
  *   I_CALLBACK_HTML_TOP_OF_PAGE       = ' '
  *   I_CALLBACK_HTML_END_OF_LIST       = ' '
  *   I_STRUCTURE_NAME                  =
  *   I_BACKGROUND_ID                   = ' '
  *   I_GRID_TITLE                      =
  *   I_GRID_SETTINGS                   =
     IS_LAYOUT                         = LAYOUT
     IT_FIELDCAT                       = CATALOG
  *   IT_EXCLUDING                      =
  *   IT_SPECIAL_GROUPS                 =
  *   IT_SORT                           =
  *   IT_FILTER                         =
  *   IS_SEL_HIDE                       =
  *   I_DEFAULT                         = 'X'
  *   I_SAVE                            = ' '
  *   IS_VARIANT                        =
  *   IT_EVENTS                         =
  *   IT_EVENT_EXIT                     =
  *   IS_PRINT                          =
  *   IS_REPREP_ID                      =
  *   I_SCREEN_START_COLUMN             = 0
  *   I_SCREEN_START_LINE               = 0
  *   I_SCREEN_END_COLUMN               = 0
  *   I_SCREEN_END_LINE                 = 0
  *   IT_ALV_GRAPHICS                   =
  *   IT_ADD_FIELDCAT                   =
  *   IT_HYPERLINK                      =
  *   I_HTML_HEIGHT_TOP                 =
  *   I_HTML_HEIGHT_END                 =
  *   IT_EXCEPT_QINFO                   =
  * IMPORTING
  *   E_EXIT_CAUSED_BY_CALLER           =
  *   ES_EXIT_CAUSED_BY_USER            =
    TABLES
      T_OUTTAB                          = IT_1
  * EXCEPTIONS
  *   PROGRAM_ERROR                     = 1
  *   OTHERS                            = 2
  IF SY-SUBRC <> 0.
  * MESSAGE ID SY-MSGID TYPE SY-MSGTY NUMBER SY-MSGNO
  *         WITH SY-MSGV1 SY-MSGV2 SY-MSGV3 SY-MSGV4.
  ENDIF.
  so rem all you need to do is add a feild in internal table for the traffic signal , assign values 0 , 1, 2 to it and last specify the name of this feild in the layout.
  Regards
  Arun

• Multicast IPv6 - Traffic Control

  Hi Guys,
  We have a Deployment Multicast IPv6, and actually i need traffic control over interface that have EoMPLS configured; what is the best configuration for traffic control (4Mb up and 4Mb down of traffic Multicast).
  Or which are the best practices for deployment control traffic in Multicast IPv6?
  Thx in advance!

  Hi,
  It seems you are running EoMPLS with ethernet port mode.
  you could do bandwidth managment of traffic shaping on the subinterface each PE.
  HTH
  Mohamed

• Air Traffic Control Widget Does Not Work With OS 10.6.8

  Air Traffic Control Widget Does Not Work With OS 10.6.8.
  Any suggestions?
  SR

  No I have not. I have thought about just downloading another version...
  Thanks for your reply.
  SR

• Ssid access control with WPA Ent and RADIUS author

  Hi, I'd like to control the ssid requested in WPA Enterprise with RADIUS authorization: how to ?
  Is there an attribute in RADIUS IOS or Cisco Aironet ?
  thanks

  Depends on what you are using for a radius server.
  Here are some links that might help.
  http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a00807917aa.shtml
  http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080921f67.shtml

• Traffic Control in NAC

  Hi all,
  Is it possible to control traffic after user is authenticated by NAC? For example, a user can only access the server segment, not to other segment. From what i understand, after user is authenticated by NAC, that user is put to trusted segment and server segment is also in trusted segment, so i think it is not possible. Maybe other have another opinion?
  Thanks.

  Hi Brian,
  You can keep controlling traffic with NAC if you have a Clean Access Server (CAS) deployed inline for example:
  http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/49/cas/s_trfpol.html
  Regards,
  Fede
  If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

• Client looking to segment traffic via SSID using 2504

  I have a client with a WLC 2504 that wants to route "guest" users through a gateway appliance "radiusgateway.com" and all others through the network. It appears to me this would require the use of two fa ports on the WLC. One directly connected to the radiusgateway (which is connected to a switchport) and the other fa interface connected directly to a switchport bypassing the proxy server.
  My issue is, "how do you segment the ssid traffic via the WLC". The interfaces cia the gui aren't that intelligent, there's an enable and logging drop down. Via the command line, I didn't see any methods of routing traffic.
  Please assist, Thanks in advance.

  The controller doesn't 'route' traffic, it will just send it out the VLAN/Port the interface is configured for.
  So if you tell interface 'guest' to be linked to port 4, any WLAN that uses guest will be sent out port 4.
  HTH,
  Steve
  Please remember to rate useful posts, and mark questions as answered

• Does user traffic pass through Controller and Aironet 1030?

  Hi All,
  I want to beat out some questions that I cannot find exactly guideline in Cisco. I intend to implement 2 Airespace 2000 controller and some 1010s and one 1030 to my main office and branch office. At present, there is a 512kbps WAN link between this two office. So I don't want to let the traffic within the branch office to pass through the WAN link. Therefore, I intend to use the solution that 1 controller stay in main office to serve the 1010s in main office and 1 controller stay in remote office to serve the 1010s in remote office. But the remote site only needs 1 AP, thus I would like to use one 1030 to stay in branch office and 2 controller stay in main office to perform controller's redundancy. I would like to know Does the clients' traffic pass through the link between 1030 and controller as the same as 1010? I does very confuse whether 1030 has this feature because I found some blur instruction of 1030 in Cisco.
  Further, if I place one of the controller in remote office, how can I control the APs in remote office to choose the local controller instead of the controller in main office using Layer 3 discovery method? Does any know? Thanks!
  Jason,
  best regards,

  Hi Jason,
  Hopefully this info will clear this up for you;
  Q. Can I install an access point (AP) at a remote office and install a Cisco WLC at my headquarters? Does the Lightweight AP Protocol (LWAPP) work over a WAN?
  A. Yes, you can have the WLCs across the WAN from the APs. LWAPP works over a WAN. Use Remote Edge AP (REAP) mode. REAP allows the control of an AP by a remote controller that is connected via a WAN link. Traffic is bridged onto the LAN link locally, which avoids the need to unnecessarily send local traffic over the WAN link. This is precisely one of the greatest advantages of having WLCs in your wireless network.
  Note: Not all lightweight APs support REAP. For example, the 1030 AP supports REAP, but the 1010 and 1020 AP do not support REAP. Before you plan to implement REAP, check to determine if the APs support it. Cisco IOS Software APs that have been converted to LWAPP do not support REAP.
  Q. I want to set up the Cisco 1030 Lightweight Access Point (AP) with a Cisco WLC in Remote Edge AP (REAP) mode. In this mode, is all wireless traffic tunneled back to the WLC? Additionally, if the AP cannot contact the WLC, what happens to the wireless clients?
  A. The 1030 AP tunnels all WLC traffic (control and management traffic) to the WLC via Lightweight AP Protocol (LWAPP). All data traffic stays local to the AP. The 1030 REAP can only reside on a single subnet because it cannot perform IEEE 802.1Q VLAN tagging. As such, traffic on each service set identifier (SSID) terminates on the same subnet on the wired network. So, while wireless traffic may be segmented over the air between SSIDs, user traffic is not separated on the wired side. Access to local network resources is maintained throughout WAN outages.
  At times of WAN link outage, all WLANs except the first is decommissioned. Therefore, use WLAN 1 as the primary WLAN and plan security policies accordingly. Cisco recommends that you use a local authentication/encryption method, such as the Wi-Fi Protected Access (WPA) Pre-Shared Key (WPA-PSK), on this first WLAN.
  Note: Wired Equivalent Privacy (WEP) suffices, but this method is not recommended because of known security vulnerabilities.
  If you use WPA-PSK (or WEP), properly configured users are still able to gain access to local network resources even when the WAN link is down.
  From this doc;
  http://www.cisco.com/en/US/products/ps6366/products_qanda_item09186a008064a991.shtml
  Hope this helps!
  Rob
  Please remember to rate helpful posts.....

• Wireless Virtual LAN - SSID and ACS User Mapping

  Hi Everybody
  We have the following senario:
  - WLC 4402 and ACS 3.3
  - 2 SSID's , One for Emploies - one for gests
  - All users are (guest and emploies) are authentication against the ACS Server.
  We would like to only permit Guest users to use the Guest SSID.
  I've been reading the Wireless Virtual LAN Deployment Guide :
  http://www.cisco.com/warp/public/cc/pd/witc/ao1200ap/prodlit/wvlan_an.pdf
  and have tried to use methode 1.
  - RADIUS-based SSID access control:
  "Upon successful 802.1X or MAC address authentication, the RADIUS server
  passes back the allowed SSID list for the WLAN user to the access point or bridge. If the user used an SSID on the allowed SSID list, then the user is allowed to associate to the WLAN. Otherwise, the user is disassociated from the access point or bridge."
  "This is configured by enableling the ?[026/009/001] cisco-av-pair? option. On the ACS Server
  - Enable and configure Cisco IOS/PIX RADIUS Attribute,
  009\001 cisco-av-pair
  - Example: ssid=LEAP_WEP"
  I've tried this, but regardless of wich SSID the user(-group) has configured, it sill can access all SSID's?
  Does anyone have any idea of what I'm doing wrong?
  Does this setting only apply to Accesspoint, or is it also valid for the WLC 44xx series?
  Greetings
  Jarle

  Hi I'm sorry but this still does not help.
  We have now upgraded ACS to version 4.0 and I'm still having the same problems.
  This is what i have configured:
  WLC:
  - WLAN
  - SSID : Public
  - WLAN id = 3
  - L2 Security : 802.1x
  - Interface Name : GuestVLAN
  - Controller - Interface
  - management - Untagged
  - GuestVLAN - VLAN 112
  - Security
  - RADIUS Servers
  When authenticating a Guest(belonging to the proper group in acs) - the right VLAN is used, IP Adresses from DHCP is recieved, and the Guest can access internet.
  Switch:
  - Port connected to WLC uses Trunking.
  - Guests are connected to VLAN 112 and "native VLAN" is used to connect the Private Users.
  ACS:
  - AAA Client is the WLC, Authenticating using Cisco Airespace
  - Guest Users are member of Group 11
  - Private Users are member of Group 1
  Group 11
  - Use Per Group NAR to only allow WLAN Access
  - Cisco Airespace RADIUS Attributes
  x 14179\001 - Aire-WLAN-ID = 3
  - Cisco IOS / PIX RADIUS Attributes
  x 009\001 Ciso-av-pair = "ssid=Public"
  - IETF Radius Attributes
  x 006 Service Type = Login
  x 007 Framed-Prot = ppp
  x 064 Tunnel-Type = VLAN
  x 065 Tunnel-Medium-tye = 802.1x
  x 081 Tunnel-Private-Group-ID = 112
  Group (default Group)
  - Cisco Airespace RADIUS
  x 14179\001 Aire-WLAN-ID = 1
  - Cisco IOS/PIX Radius Attrib
  x 009\001 Cisco-av-pair = "ssid=Private"
  - IETF RADIUS
  x 008 Service-type = Login
  x 064 Tunnel-Type = VLAN
  x 065 Tunnel-Medium-tye = 802.1x
  x 081 Tunnel-Private-Group-ID = 1
  Do you have any idea of what i should change?
  Greetings
  Jarle

• WLC 7.4.110.0 where native vlan and SSID vlan is the same vlan

  Hi
  We have app. 1500 accespoints in app. 500 locations. WLCs are WiSM2s running 7.4.110.0. The AP are 1131LAPs.In a FlexConnect configuration we use vlan 410 as native vlan and the ssid (LAN) also in vlan 410. This works fine, never had any problems with this.
  Now we have started use 1602 APs and the client connection on ssid LAN becomes unstable.
  If we configure an different ssid, using vlan 420 and native vlan as 410, everything works fine.
  I can't find any recommandations regarding the use of native vlan/ssid vlan
  Is there anyone experiencing similar problems? Is this a problem with my configuration or is it a bug wittin 1602 accespoints?
  Regards,
  Lars Christian

  It is the recomended design to put FlexConnect AP mgt into native vlan & user traffic to a tagged vlan.
  From the QoS perspective if you want to enforce WLC QoS profile values, you have to tag SSID traffic to a vlan (other than native vlan) & trust CoS on the switch port connected to FlexConnect AP (usually configured as trunk port)
  HTH
  Rasika
  **** Pls rate all useful responses ****

• Query: Best practice SAN switch (network) access control rules?

  Dear SAN experts,
  Are there generic SAN (MDS) switch access control rules that should always be applied within the SAN environment?
  I have a specific interest in network-based access control rules/CLI-commands with respect to traffic flowing through the switch rather than switch management traffic (controls for traffic flowing to the switch).
  Presumably one would want to provide SAN switch demarcation between initiators and targets using VSAN, Zoning (and LUN Zoning for fine grained access control and defense in depth with storage device LUN masking), IP ACL, Read-Only Zone (or LUN).
  In a LAN environment controlled by a (gateway) firewall, there are (best practice) generic firewall access control rules that should be instantiated regardless of enterprise network IP range, TCP services, topology etc.
  For example, the blocking of malformed TCP flags or the blocking of inbound and outbound IP ranges outlined in RFC 3330 (and RFC 1918).
  These firewall access control rules can be deployed regardless of the IP range or TCP service traffic used within the enterprise. Of course there are firewall access control rules that should also be implemented as best practice that require specific IP addresses and ports that suit the network in which they are deployed. For example, rate limiting as a DoS preventative, may require knowledge of server IP and port number of the hosted service that is being DoS protected.
  So my question is, are there generic best practice SAN switch (network) access control rules that should also be instantiated?
  regards,
  Will.

  Hi William,
  That's a pretty wide net you're casting there, but i'll do my best to give you some insight in the matter.
  Speaking pure fibre channel, your only real way of controlling which nodes can access which other nodes is Zones.
  for zones there are a few best practices:
  * Default Zone: Don't use it. unless you're running Ficon.
  * Single Initiator zones: One host, many storage targets. Don't put 2 initiators in one zone or they'll try logging into each other which at best will give you a performance hit, at worst will bring down your systems.
  * Don't mix zoning types:  You can zone on wwn, on port, and Cisco NX-OS will give you a plethora of other options, like on device alias or LUN Zoning. Don't use different types of these in one zone.
  * Device alias zoning is definately recommended with Enhanced Zoning and Enhanced DA enabled, since it will make replacing hba's a heck of a lot less painful in your fabric.
  * LUN zoning is being deprecated, so avoid. You can achieve the same effect on any modern array by doing lun masking.
  * Read-Only exists, but again any modern array should be able to make a lun read-only.
  * QoS on Zoning: Isn't really an ACL method, more of a congestion control.
  VSANs are a way to separate your physical fabric into several logical fabrics.  There's one huge distinction here with VLANs, that is that as a rule of thumb, you should put things that you want to talk to each other in the same VSANs. There's no such concept as a broadcast domain the way it exists in Ethernet in FC, so VSANs don't serve as isolation for that. Routing on Fibre Channel (IVR or Inter-VSAN Routing) is possible, but quickly becomes a pain if you use it a lot/structurally. Keep IVR for exceptions, use VSANs for logical units of hosts and storage that belong to each other.  A good example would be to put each of 2 remote datacenters in their own VSAN, create a third VSAN for the ports on the array that provide replication between DC and use IVR to make management hosts have inband access to all arrays.
  When using IVR, maintain a manual and minimal topology. IVR tends to become very complex very fast and auto topology isn't helping this.
  Traditional IP acls (permit this proto to that dest on such a port and deny other combinations) are very rare on management interfaces, since they're usually connected to already separated segments. Same goes for Fibre Channel over IP links (that connect to ethernet interfaces in your storage switch).
  They are quite logical to use  and work just the same on an MDS as on a traditional Ethernetswitch when you want to use IP over FC (not to be confused with FC over IP). But then you'll logically use your switch as an L2/L3 device.
  I'm personally not an IP guy, but here's a quite good guide to setting up IP services in a FC fabric:
  http://www.cisco.com/en/US/partner/docs/switches/datacenter/mds9000/sw/4_1/configuration/guides/cli_4_1/ipsvc.html
  To protect your san from devices that are 'slow-draining' and can cause congestion, I highly recommend enabling slow-drain policy monitors, as described in this document:
  http://www.cisco.com/en/US/partner/docs/switches/datacenter/mds9000/sw/5_0/configuration/guides/int/nxos/intf.html#wp1743661
  That's a very brief summary of the most important access-control-related Best Practices that come to mind.  If any of this isn't clear to you or you require more detail, let me know. HTH!

• Traffic shaping for each user

  Hello!
  I want to limit bandwidth to users. Each user must have own speed. For each user I define class-map and policy-map. But I have many users (above 500), but class-map limits 256 :(. How I can resolve my problem?
  My config for only 2 users:
  ip access-list extended u_2175_a
  permit ip any 10.10.10.1 0.0.0.0
  class-map u_2175
  match access-group name u_2175_a
  ip access-list extended u_2204_a
  permit ip any 10.10.10.2 0.0.0.0
  class-map u_2204
  match access-group name u_2204_a
  policy-map UNLIM_USERS
  class u_2175
  shape peak 256000
  class u_2204
  shape peak 512000
  Policy UNLIM_USERS applies to interface.
  Cisco 7200 NPE G2

  You can resolve your issues through enable intelligent traffic control to condition or applications for traffic rate limiting ie NBAR and Rate-limiting / CAR:
  You can designate CAR rate-limiting policies based on physical port, packet classification, IP address, MAC address, application flow, and other criteria specifiable by access lists or extended access lists. CAR rate limits may be implemented either on input or output interfaces or subinterfaces including Frame Relay and ATM subinterfaces.
  An example of use of CAR's rate-limiting capability is application-based rates limiting HTTP World Wide Web traffic to 50 percent of link bandwidth, which ensures capacity for non-Web traffic including mission-critical applications

• WSA is not getting WCCP traffic and cant browse any websites

  Hi,
  We have WSA configured for central office users web traffic control and its working fine. We also want to use the branch users to controler their web traffic using the same WSA. We have added the branch network subnets to existing WCCP ACL which is configured on 6509 core switch and could see http/https hits coming from branch subnets.
  We have created new Identity (with no authentication) and added the branch subnet to it and created new access policy and use the same identity. However users are not able to browse any website when we added the branch subnets to existing WCCP ACL. When we did packet capture on WSA for one of the PCs IP address on branch network there is no packet reaching on WSA. However when we did policy trace on WSA for the same branch IP address we could see the it was hitting correct policy and identity where allowed website is passing and blocked site is blocked. However users are not able to browse for any websites.
  Not sure where the problem is and appreciate if someone can guide us or give some troubleshooting steps to verify the configuration.
  thanks in advance.

  Hi Tony,
  Thanks for your response. Actually IP WCCP redirect out is already there on the interface connecting to firewall. Since we cant have WCCP redirect in on every users SVI we have used the firewal connecting interface as one gateway.
  Since we already use wccp redirect out we can't use the wccp redirect in connection on the WAN connecting interface. I have attached the network topolgy for better understanding. Also attached is the policy-trace output where I could see its hitting the correct Access policy. However im not sure what there's no packets found on the packet-capture output taken from WSA.
  the issue is that while the policy are intact, when I add the branch router to wccp ACL they cant access any of the websites. Not sure whether issue on WSA policy or WCCP config...??

• Prevent a control from updating during user interaction

  I have a slow (couple of kBauds) serial link to a device that I want to control from within LabView.
  There's an event loop that takes care of processing the control changes. When a control changes, the thread acquires a semaphore to access the serial link, sends out the new value and releases the semaphore again. In another thread, the device is periodically polled for actual values. All that works fine.
  The problem is that, due to the lag of the link (and polling and sending happening in two different threads), the newly set parameters are returned with a delay. So let's say, I have a slider from 0-1000 and I slide it down from 1000 towards 0. While I hold the mouse down on the slider, dragging it, the communication thread returns a value that is different from where the slider is at and therefore sets the slider to an outdated value. That makes the slider jitter and that's what I need to get rid of.
  I think this is a common problem, yet I couldn't find a straightforward solution. Basically, what I was looking for was a property "isEditing" or "isDragging" which I could check and then not update the control when this is true, to prevent that race between events. Does something like that exist? How do you guys tackle such a problem?
  Thanks,
  z

  zeeed wrote:
  I have a slow (couple of kBauds) serial link to a device that I want to control from within LabView.
  ...and therefore sets the slider to an outdated value. That makes the slider jitter and that's what I need to get rid of.
  I think this is a common problem, yet I couldn't find a straightforward solution. Basically, what I was looking for was a property "isEditing" or "isDragging" which I could check and then not update the control when this is true, to prevent that race between events. Does something like that exist? How do you guys tackle such a problem?
  Thanks,
  z
  THe first part of this post got wiped out by the goffy forum editor. I do not have time to retype it....
  applied when you get a new value from a queue or by polling the current value.
  While changing...
  THe control must act as control and must over-ride the widget value. The natural thought would be to put that code in the value change event... but how to do it such that the value does not get over-riden?
  Put SOMETHING inbetween that can mange the value. You could go as far as to develop an QMH (Queued Messae handler) or similar inplace to handle the logic but I don't think we have to go that far. I would first concider developing an Action Engine to act as the traffic control you need.
  Applying an Action Engine
  i would use the AE to intercat with the widget and store it curent value. YOu will need an Init Action and a Close action as is normal but I would include two mtehods that would help you with the Over-ride.
  Get Value - This action will read (using serial query) the current value of the widget and return the value to the caller. You could also have a "Read' or similar that would retireve the value from a Shift Register inside the AE. This action would be called regularly in your T.O. event and will keep the contro lupdated as to the widget value.
  Set Value - Would be the key action that can help you out. THe details depend  on the widget but in general the Action would acept the new over-ride value and use it to send the comand to the widget to set the new value AND will query the widget to ensure the widget took the seeting or reached that value. After the widget is done, the new value is cached in a SR in the AE so that the latter checks by the TO event give you the value you set.
  If you read the Nugget i linked you will see how an Action Engine blocks calls while it is running. By putting the code to set the widget value in the AE, you can ensure the widget went to the new value before any update code can read an old value.
  The above is just one idea and there are others. I would think other solutions would all involve putting some type of traffic control inplace so the AE is a natural solution.
  Note:
  I have used similar approaches in the past to enforce safety logic to ensure the automatic PID updates do not over-ride a safety-shutdwon scenario.
  I hope this helped more than it hurt,
  Ben
  Ben Rayner
  I am currently active on.. MainStream Preppers
  Rayner's Ridge is under construction

• Cisco nac access control

  Dear All,
  I have depolyed a cisco nac solution in inband virtual gateway mode.Everything is working fine.The issue is that i want to restrict intranet server access.Usually there is a web server configured on it and users can access by typing http://intranet.There are also shared resources on it.
  I want certain users to be able to access shared ressources but not access the intranet by typing http://intranet.I created access rules in traffic control to deny tcp protocol from the specified source to the destination ip address of the server on port 80and permit everything else.Users continue to access both ressources.
  Since it was not working, created access-list on the L3 3560 switch to deny connection on 172.31.0.3:80 and permit everything else and applied it to the users vlan svi.Still it does not work.
  How can i make it happen ?Please help.
  Thanks

  Yes Sir.. Check this link for supported devices with Cisco ISE
  http://www.cisco.com/en/US/docs/security/ise/1.0.4/compatibility/ise104_sdt.html
  "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
  ‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."